Continuous variable measurement device independent quantum conferencing with postselection

A continuous variable (CV), measurement device independent (MDI) quantum key distribution (QKD) protocol is analyzed, enabling three parties to connect for quantum conferencing. We utilise a generalised Bell detection at an untrusted relay and a postselection procedure, in which distant parties reconcile on the signs of the displacements of the quadratures of their prepared coherent states. We derive the rate of the protocol under a collective pure-loss attack, demonstrating improved rate-distance performance compared to the equivalent non-post-selected protocol. In the symmetric configuration in which all the parties lie the same distance from the relay, we find a positive key rate over 6 km. Such postselection techniques can be used to improve the rate of multi-party quantum conferencing protocols at longer distances at the cost of reduced performance at shorter distances.

www.nature.com/scientificreports/ case. Quantum conferencing has attracted a great deal of interest and a variety of protocols have been proposed, including MDI protocols with discrete variables 34 , twin field protocols [35][36][37] , consideration of the effect of finite sized keys 38 and recently a continuous variable MDI protocol 39 .
In this work, we provide the first demonstration that the same post selection techniques typically applied to two party QKD can also be utilised to increase the effective range at which CV MDI quantum conferencing can occur. We utilise the same generalised Bell detection from the CV MDI quantum conferencing protocol introduced in 39 to establish multipartite correlations between the user's variables and a similar postselection procedure to that used in 29 to extend the effective range of the protocol. Whilst we are restricted by the need to perform numerical integration in large number of dimensions to consider only three parties and pure loss attacks, the protocol presented here is in principle readily extended to N users and entangling cloner attacks.
The structure of the paper is as follows: in "Protocol and detector" we introduce the protocol and explain the structure of the detector; "Rate" explains how the rate of the protocol is calculated; "Results" provides results and "Conclusion" is for conclusions.

Protocol and detector
In this paper, we consider the case of three users undertaking quantum conferencing. The three parties: Alice, Bob and Charlie individually prepare Gaussian modulated coherent states. Each party individually has access to an independent zero-mean Gaussian distribution with standard deviations σ A , σ B , σ C respectively. Each party then draws two independent values from their respective distributions for the value of the q and p quadratures of their coherent state. They encode the absolute values in the variables Q i and P i respectively and the signs in κ i and κ ′ i . Thus they prepare coherent states of the form: Each state is sent through a lossy channel to the detector which may be attacked by an eavesdropper (Eve). This is modelled as a beamsplitter attack in which Eve inserts a beamsplitter into each channel, storing the outputs in a quantum memory. In a pure loss attack, Eve does not actively inject any state at the beamsplitter and thus each coherent state is instead mixed with the vacuum state |0�.
The structure of the detector is illustrated in Fig. 1 and was devised in 39 to perform a generalised Bell detection on the incoming coherent states. It is comprised of a cascade of beamsplitters, each having transmissivity T i = i i+1 . In the case of three parties, which we consider, this corresponds to T 1 = 1/2 and T 2 = 2/3 . The beamsplitters are followed by two q (p) homodyne detections and a final homodyne detection in the p (q) quadrature and the results of all the measurements are publicly broadcast. Operated correctly, in the entanglement based representation 1 the detector has the effect of projecting the Alice-Bob-Charlie state into a symmetric state with GHZ-like correlations between each parties state 39 . The two possible configurations are switched between randomly and are announced during the basis reconciliation stage of the protocol. If the first configuration (two q and one p detection) was selected, the parties will attempt to reconcile their values of κ ′ A , κ ′ B , κ ′ C into a secure key. Conversely, if the second configuration is utilised, the parties will attempt to reconcile their values of κ A , κ B , κ C . At this point each party reveals their values of Q i and P i , and publicly broadcasts them to every other user. Using In the first configuration (pictured left) the states undergo two q homodyne detections and one p homodyne detection. The parties will attempt reconciliation between κ ′ A , κ ′ B , κ ′ C . In the second orientation (pictured right) the states undergo two p homodyne detections and one q homodyne detection. In this case the parties attempt reconciliation on κ A , κ B , κ C . www.nature.com/scientificreports/ their knowledge of Q i and P i , the parties can perform postselection, only retaining instances of the protocol where their mutual information exceeds Eve's Holevo information. Figure 2 depicts the protocol being performed under the pure loss attack assumed throughout this paper.

Rate
We first sketch the method used to determine the rate. At the end of the protocol the parties perform pairwise reconciliation between κ A , κ B , κ C or κ ′ A , κ ′ B , κ ′ C depending on the orientation of the detector. In the asymptotic limit of a large number of uses the rate of the protocol is given by: where I ij is the binary mutual information between the sign variables κ i and κ j or κ ′ i and κ ′ j . χ is the Holevo information. The mutual information can be found by utilising Bayes' Theorem and the distribution of measurement outcomes as detailed in "Mutual information". The Holevo information is calculated by carefully considering Eve's state at the end of the protocol as explained in "Holevo bound". Additionally, since we ultimately wish to perform postselection to increase the performance of the protocol we work with single-point versions of the above quantities Ĩ ij and χ which are the values conditioned upon the quadratures and measurement outcome. To this end we start by considering the initial covariance matrix of the Alice-Bob-Charlie-Eve system, which is given by: where I is the two-by-two identity matrix and for a pure loss attack V E = I ⊕ I ⊕ I . The mean value of the Alice-Bob-Charlie system is: The mean value of Eve's system is zero. After propagation through the detector's array of beamsplitters and the homodyne detections, the distribution of measurement outcomes is given by: where We have implicitly removed the conditioning on the modulus and absolute value of the q quadratures from the notation as there is no dependence upon them. Similarly for the opposite detector configuration:

Mutual information.
We first introduce the following compact notation which simplifies the following expressions. Let us recall the definition of the single point mutual information between the two binary variables κ ′ i and κ ′ j . This is clearly just the mutual information conditioned on the announced variables γ p and P P P: where H is the binary entropy so that: and From the symmetry of the detector we have I AB = I AC = I BC and for simplicity we consider only I AB from this point onwards. Using Eq. (5) and Bayes' theorem we first calculate the probability of positive and negative values for κ ′ A conditioned on κ ′ B ,κ ′ C , the magnitudes of the p quadratures P P P and the measurement outcome γ p : Noting that, and p(κ ′ A |κ ′ \ A , P P P) = 1/2 we reach: We may then remove the conditioning on κ ′ C to find p(κ ′ A |κ ′ B , P P P, γ p ) for the second term in the single point mutual information.
so that we may write Similarly to further remove the dependence from κ ′ B : By the same approach we can also find p(κ ′ B |P P P, γ p ) , enabling the sum in Eq. (9) to be taken. Finally in order to take the integral over the single point mutual information we require the probability of all the variables Holevo bound. At the end of the protocol Eve is left with the state ρ E|P P P,γ p which is her total state conditioned on the announced absolute values of the p quadratures P P P and the measurement outcome γ p . This state is a convex combination of pure Gaussian states corresponding to given values of κ ′ A , κ ′ B , κ ′ C and hence Eve's total state may be written: p(γ p |κ ′ , P P P) κ ′ A p(γ p |κ ′ , P P P) . www.nature.com/scientificreports/ It is important to note that whilst the conditional states, ρ E|κ ′ ,P P P,γ p , are pure and Gaussian the total state, ρ E|P P P,γ p is not, which complicates our analysis. Nonetheless, assuming that Eve performs a collective attack on the protocol the relevant quantity to calculate is the Holevo information χ . We can again write this as a single point quantity in the following way.
where χ(E : κ ′ i | P P P, γ p ) is the single point Holevo information and S is the von Neumann entropy which we recall is calculated from the eigenvalues { i } of a density matrix ρ by: First let us write the conditional states ρ E|κ ′ P P Pγ p as: We consider the matrix of overlaps O of this state for all the combinations of κ ′ The values in the far column denote the row values of κ ′ A , κ ′ B , κ ′ C . The columns may be similarly labelled. O is clearly separable as: which implies: Each of these states lies in a two-dimensional Hilbert space. Using x to index the parties A, B, C we may expand the states as: and find the following relation for the coefficients: where X labels the corresponding values A, B, C from Eq. (23). For two Gaussian states with the same covariance matrix V and mean values x 1 and x 2 the following relation holds 40 : which we use to calculate (19) ρ E|P P P,γ p = κ ′ p(κ ′ |P P P, γ p )ρ E|κ ′ ,P P P,γ p .
1 �} basis. Describing the row position with the binary string (i, j, k) and similarly the column position with (i ′ , j ′ , k ′ ) each component of the density matrix can be calculated by: By calculating the following inner products: we can therefore immediately find the diagonal components of the density matrix: The off diagonal terms are given by: where �(i, j, k, i ′ , j ′ , k ′ ) is given by where f is a function such that f (κ i = −1) = 0 and f (κ i = 1) = 1 . We therefore have all the components of ρ E|P P P,γ p from which we may numerically find the eigenvalues and compute the first term in the Holevo bound (Eve's conditional output state following the protocol ρ E|P P P,γ p has dimension 2 N . Therefore for N ≥ 3 , including the tri-partite case considered in this paper, the eigenvalues of this state cannot be given in closed form. Therefore the entropy of the state and consequently the single point Holevo information χ can only be evaluated numerically for given values of the protocol's parameters. This greatly complicates numerical integration in Eq. (47) as no explicit expression for the single point rate can be given. It is for this reason that our analysis is limited to pure loss attacks and three users, even though the analysis is readily extended to an arbitrary number of users and entangling cloner attacks.). For the second term in the Holevo bound we need Eve's state conditioned on κ A . If κ ′ A = −1: The same method explained above may be used to determine components of these density matrices in the {|� 1 �} basis. The eigenvalues may then be used to calculate the second term in the Holevo bound.
Postselection. We now demonstrate how the single point quantities may be used to calculate the postselected rate R PS . The mutual information I AB may be found by integrating the single point mutual information Ĩ AB Similarly we do the same for the Holevo information: (33) C = �E P P P,γ p κ C =−1 |E P P P,γ p κ C =1 �.
ρ E|κ ′ A =−1,P P P = |E P P P,γ p κ ′ (44) I AB = p(P P P, γ p )Ĩ AB (P P P, γ p ) dP P P dγ p (45) χ = p(P P P, γ p )χ(P P P, γ p ) dP P P dγ p The postselection ensures the parties only use instances of the protocol where the single point rate is positive. Hence the postselected rate R PS becomes: where Ŵ denotes the region in which the single point rate is positive.

Results
We now present the numerical results for the post-selected rate of the protocol. By utilising the relation τ = 10 −γ d and setting γ = 0.02/km (equivalent to 0.2 db/km), which corresponds to state of the art fibre optics, the rate of the protocol is expressed in terms of distances (d) of the parties from the detector. In particular, we consider the symmetric configuration in which each of the parties is located the same distance from the detector. Other asymmetric configurations can be considered within the same framework, by mapping the distance of the user furthest away into the transmissivity of each incoming channel. Thus the results presented here represent the worst case scenario for any other asymmetric configuration of the parties. Figure 3 shows the rate-distance performance of the protocol in the asymptotic limit, assuming that a pureloss attack is undertaken by Eve. We work with perfect detector efficiency and with the variance of each prepared quadrature σ A = σ B = σ B = 1 . We note that in general it may be possible to optimise the performance of the protocol over these parameters. Our results demonstrate that a positive rate can be maintained over a greater distance than in the corresponding 3-party case (shown for comparison in Fig. 3, albeit at the cost of lower rates at short distances). In particular the new protocol outperforms the equivalent protocol without postselection for distances greater than ∼ 1 km.

Conclusion
We have demonstrated a 3-party CV-MDI-QKD protocol that combines a generalised Bell detection with a postselection regime based on performing reconciliation on the signs of prepared quadratures of coherent states. We show that improved rate-distance performance is possible compared to the equivalent 3-party protocol without postselection, allowing a rate in excess of 10 −4 bits per use at greater than 3 km and a positive rate for distances of up to ∼ 6 km . Our protocol also outperforms the equivalent protocol without postselection for distances greater than ∼ 1 km . Moreover since these protocols have exactly the same structure in terms of state preparation and the detector relay, it is possible to use one such relay to perform either protocol, choosing whichever will give the higher rate. That is, if the users are able to establish their distances from the detector, they choose whether or not to announce the absolute values of their quadratures and undertake postselection depending on whether or not this will produce a better rate. Whilst σ A , σ B , σ C are preset so any optimisation over these parameters must consider both protocols simultaneously it is still possible to retain the advantages of higher rate at shorter distances from the non-postselected protocol in addition to the improved long distance performance from our protocol.
(47) R PS = p(P P P, γ p ) max R (P P P, γ p ), 0 dP P P dγ p (48) = Ŵ p(P P P, γ p )R(P P P, γ p ) dP P P dγ p www.nature.com/scientificreports/ The need to undertake a high-dimensional numerical integral given in Eq. (47), for a function that cannot be given in closed form (Eve's conditional output state following the protocol ρ E|P P P,γ p has dimension 2 N . Therefore for N ≥ 3 , including the tri-partite case considered in this paper, the eigenvalues of this state cannot be given in closed form. Therefore the entropy of the state and consequently the single point Holevo information χ can only be evaluated numerically for given values of the protocol's parameters. This greatly complicates numerical integration in Eq. (47) as no explicit expression for the single point rate can be given. It is for this reason that our analysis is limited to pure loss attacks and three users, even though the analysis is readily extended to an arbitrary number of users and entangling cloner attacks.) to compute the post-selected key rate, limits our analysis to the 3-party case and pure-loss attacks. Nonetheless it may be possible to extend the study to the general N party case, maintaining the same structure of detector as in 39 and considering entangling cloner attacks. Thus, our new protocol demonstrates that secure, multi-party conferencing can be achieved over improved distances, while retaining the security advantages of an MDI QKD protocol.

Data availability
The datasets used and analysed during the current study are available from the corresponding author on reasonable request.